Re: Issue with Site-to-Site VPN between Checkpoint and Cisco ASA

ORZpasserAtw · ‎06-30-2025

LAN:192.168.88.254/24

ASA5505
(branch)

WAN:60.0.0.1

------Internet------

WAN:59.0.0.1

CP1555
(HQ)

LAN:192.168.169.254/24

Cisco Adaptive Security Appliance Software Version 9.2(3)
Checkpoint 1500 Appliance Version R81.10.10 (996002945)

Here's partial running config

object-group network local-network
network-object 192.168.88.0 255.255.255.0
object-group network remote-network
network-object 192.168.169.0 255.255.255.0
access-list asa-router-vpn extended permit ip object-group local-network object-group remote-netw ork
access-list asa-router-vpn2 extended permit ip object-group remote-network object-group local-net work
access-list alloweverything standard permit any4
nat (inside,outside) source dynamic obj-192.168.88.0 interface
nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup
crypto ipsec ikev1 transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 120
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 10 match address asa-router-vpn
crypto map outside_map 10 set peer 59.0.0.1
crypto map outside_map 10 set ikev1 transform-set ESP-AES-MD5
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp identity hostname
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 300
tunnel-group 59.0.0.1 type ipsec-l2l
tunnel-group 59.0.0.1 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 15 retry 10

sh cry isa sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: 59.0.0.1
Type : L2L Role : responder
Rekey : no State : MM_REKEY_DONE_H2
2 IKE Peer: 59.0.0.1
Type : L2L Role : responder
Rekey : yes State : MM_ACTIVE_REKEY

There are no IKEv2 SAs

sh cry ipsec sa

There are no ipsec sas

Checkpoint side config:

Connection type: Hostname or IP address
60.0.0.1
Pre-Shared Secret: *****
Encryption domain:manually
Site Name: HQ_subnet 192.168.88.0/24

Encryption settings:Custom
IKE (Phase 1)
Encryption:AES-128
Authentication:MD5
DH Group: Group 2
Renegotiate every: 5 minutes
IPSec (Phase 2)
Encryption:AES-128
Authentication:MD5
[Disabled] Perfect Forward Secrecy
Renegotiate every: 120 seconds

[Disabled] Remote gateway is a Check Point Security Gateway
[Enabled]Enable permanent VPN tunnels
[Enabled]Disable NAT for this site
[Disabled]Allow traffic to the Internet from remote site through this Security Gateway
Encryption Method:IKEv1
[Disabled]Enable aggressive mode for IKEv1

MHM Cisco World · ‎06-30-2025

Can You explain more what issue here

MHM

Aref Alsouqi · ‎07-01-2025

Could you try to remove the isakmp keepalives from under the tunnel group and clear the tunnel and see if this makes any difference please?

ORZpasserAtw · ‎07-01-2025

removed, no help.

also It's sometimes says MM_ACTIVE, but no IPSEC SAs displayed

Aref Alsouqi · ‎07-01-2025

Nothing else comes to mind. Try to check this link just to make sure nothing was missed on the CheckPoint configuration side please. Also, could you please run the following debug commands and share the sanitized output for review?

How To's: Configure Site-to-Site VPN between Check Point firewall and Cisco ASA firewall

debug crypto ikev1 127
debug crypto ipsec 127

ORZpasserAtw · ‎07-07-2025

I am 100% Sure pre-shared key is matched

Jul 07 16:48:50 [IKEv1]IKE Receiver: Packet received on 60.0.0.1:500 from 59.0.0.1:500
Jul 07 16:48:50 [IKEv1]IP = 59.0.0.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 148
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, processing SA payload
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, Oakley proposal is acceptable
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, processing VID payload
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, Received NAT-Traversal RFC VID
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, processing VID payload
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, processing IKE SA payload
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, constructing ISAKMP SA payload
Jul 07 16:48:50 [IKEv1]IP = 59.0.0.1, NAT-T disabled in crypto map outside_map 1.
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, constructing Fragmentation VID + extended capabilities payload
Jul 07 16:48:50 [IKEv1]IP = 59.0.0.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Jul 07 16:48:50 [IKEv1]IKE Receiver: Packet received on 60.0.0.1:500 from 59.0.0.1:500
Jul 07 16:48:50 [IKEv1]IP = 59.0.0.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + NONE (0) total length : 332
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, processing ke payload
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, processing ISA_KE payload
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, processing nonce payload
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, processing VID payload
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, Received DPD VID
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, constructing ke payload
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, constructing nonce payload
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, constructing Cisco Unity VID payload
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, constructing xauth V6 VID payload
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, Send IOS VID
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, constructing VID payload
Jul 07 16:48:50 [IKEv1 DEBUG]IP = 59.0.0.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 07 16:48:50 [IKEv1]IP = 59.0.0.1, Connection landed on tunnel_group 59.0.0.1
Jul 07 16:48:50 [IKEv1 DEBUG]Group = 59.0.0.1, IP = 59.0.0.1, Generating keys for Responder...
Jul 07 16:48:50 [IKEv1]IP = 59.0.0.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384
Jul 07 16:48:50 [IKEv1]IKE Receiver: Packet received on 60.0.0.1:500 from 59.0.0.1:500
Jul 07 16:48:50 [IKEv1]IP = 59.0.0.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jul 07 16:48:50 [IKEv1 DEBUG]Group = 59.0.0.1, IP = 59.0.0.1, processing ID payload
Jul 07 16:48:50 [IKEv1 DECODE]Group = 59.0.0.1, IP = 59.0.0.1, ID_IPV4_ADDR ID received
59.0.0.1
Jul 07 16:48:50 [IKEv1 DEBUG]Group = 59.0.0.1, IP = 59.0.0.1, processing hash payload
Jul 07 16:48:50 [IKEv1 DEBUG]Group = 59.0.0.1, IP = 59.0.0.1, Computing hash for ISAKMP
Jul 07 16:48:50 [IKEv1]IP = 59.0.0.1, Connection landed on tunnel_group 59.0.0.1
Jul 07 16:48:50 [IKEv1 DEBUG]Group = 59.0.0.1, IP = 59.0.0.1, constructing ID payload
Jul 07 16:48:50 [IKEv1 DEBUG]Group = 59.0.0.1, IP = 59.0.0.1, constructing hash payload
Jul 07 16:48:50 [IKEv1 DEBUG]Group = 59.0.0.1, IP = 59.0.0.1, Computing hash for ISAKMP
Jul 07 16:48:50 [IKEv1]IP = 59.0.0.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jul 07 16:48:50 [IKEv1]Group = 59.0.0.1, IP = 59.0.0.1, Failure during phase 1 rekeying attempt due to collision
Jul 07 16:48:50 [IKEv1 DEBUG]Group = 59.0.0.1, IP = 59.0.0.1, IKE MM Responder FSM error history (struct &0x00007f33ec7f10d0) <state>, <event>: MM_DONE, EV_ERROR-->MM_SND_MSG6_H, EV_SND_MSG_OK-->MM_SND_MSG6_H, EV_SND_MSG-->MM_SND_MSG6, EV_SND_MSG-->MM_BLD_MSG6, EV_ENCRYPT_OK-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_ENCRYPT_MSG-->MM_BLD_MSG6, EV_CHECK_IA
Jul 07 16:48:50 [IKEv1 DEBUG]Group = 59.0.0.1, IP = 59.0.0.1, IKE SA MM:f7dc1825 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jul 07 16:48:50 [IKEv1 DEBUG]Group = 59.0.0.1, IP = 59.0.0.1, sending delete/delete with reason message
Jul 07 16:48:50 [IKEv1 DEBUG]Group = 59.0.0.1, IP = 59.0.0.1, constructing blank hash payload
Jul 07 16:48:50 [IKEv1 DEBUG]Group = 59.0.0.1, IP = 59.0.0.1, constructing IKE delete payload
Jul 07 16:48:50 [IKEv1 DEBUG]Group = 59.0.0.1, IP = 59.0.0.1, constructing qm hash payload
Jul 07 16:48:50 [IKEv1]IP = 59.0.0.1, IKE_DECODE SENDING Message (msgid=dece7d8b) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Aref Alsouqi · ‎07-08-2025

"Jul 07 16:48:50 [IKEv1]Group = 59.0.0.1, IP = 59.0.0.1, Failure during phase 1 rekeying attempt due to collision"

Based on this link, this error appears when there is a discrepancy in the ISAKMP lifetime which doesn't seem to be the case here, so I'm not really sure why you are getting that error. What options do you have on CheckPoint for phase 1 lifetime? is it only in minutes or can you set it in seconds?

Troubleshoot Common L2L and Remote Access IPsec VPN Issues - Cisco

Rob Ingram · ‎07-01-2025

@ORZpasserAtw you are sending the hostname (not the default) as the IKE identity, is the Check Point Firewall expecting to match the IKE identity on your hostname or the IP address? Normally it would expect receive the IP address to match against.

Run debugs as @Aref Alsouqi suggested, this will provide a clue.

ORZpasserAtw · ‎07-07-2025

There's no option for Checkpoint set specific identity(unless you enabled aggressive mode for IKEv1), so I don't know what identity does it send, but ASA site is configured to
crypto isakmp identity address

MHM Cisco World · ‎07-07-2025

lifetime 300 <<- this so so short make it longer' this 300 sec i.e. 5 min sure you will face issue

Recommend value 86400 (24 hr)

MHM

ORZpasserAtw · ‎07-08-2025

I already tried change Checkpoint phase 1 renegotiate timer before, and Its default is 1440 minutes(24 hr)

MHM Cisco World · ‎07-08-2025

Both peer need to use same lifetime i.e.

Asa and checkpoint must have same lifetime (24 hr)

MHM

MHM Cisco World · ‎07-06-2025

Any news

MHM

adamscottmaster2013 · ‎07-08-2025

Are you configuring the Checkpoint VPN using "traditional" or "community/simplified" mode?

Checkpoint default phase 1 to 1440 minutes (24 hours), and phase 2 to 3600 seconds (1 hour). ASA I think has the phase 1 default to 86400 seconds (24 hours) and phase 2 to 28800 seconds (8 hours). Make sure both sides matches.

Edit: Also please replace "crypto isakmp identity hostname" with "crypto isakmp identity address".